🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-401 Domain 2
Domain 2 — Module 2 of 8 25%
10 of 25 overall

SC-401 Study Guide

Domain 1: Implement Information Protection

  • Know Your Data: Sensitive Info Types Free
  • Custom Sensitive Info Types: Build Your Own Free
  • EDM & Fingerprinting: Detect Exact Data
  • Trainable Classifiers: AI-Powered Detection Free
  • Sensitivity Labels: Create & Protect Free
  • Sensitivity Labels: Publish & Auto-Apply
  • Email Encryption: Lock Down Messages
  • Purview IP Client: Classify Files at Scale

Domain 2: Implement DLP and Retention

  • DLP Foundations: Stop Data Leaks
  • DLP Policies: Build, Manage & Extend
  • DLP: Precedence & Adaptive Protection
  • Endpoint DLP: Setup & Configuration
  • Endpoint DLP: Advanced Rules & Monitoring
  • Retention: Plan Your Data Lifecycle
  • Retention Labels: Publish & Auto-Apply
  • Retention: Policies, Precedence & Recovery

Domain 3: Manage Risks, Alerts, and Activities

  • Insider Risk: Foundations & Setup
  • Insider Risk: Policies & Indicators
  • Insider Risk: Investigate & Close Cases
  • Adaptive Protection: Risk Levels Meet DLP
  • Purview Audit: Investigate & Retain
  • Activity Explorer & Content Search
  • Alert Response: Purview, XDR & Cloud Apps
  • DSPM for AI: Setup & Controls
  • DSPM for AI: Policies & Monitoring

SC-401 Study Guide

Domain 1: Implement Information Protection

  • Know Your Data: Sensitive Info Types Free
  • Custom Sensitive Info Types: Build Your Own Free
  • EDM & Fingerprinting: Detect Exact Data
  • Trainable Classifiers: AI-Powered Detection Free
  • Sensitivity Labels: Create & Protect Free
  • Sensitivity Labels: Publish & Auto-Apply
  • Email Encryption: Lock Down Messages
  • Purview IP Client: Classify Files at Scale

Domain 2: Implement DLP and Retention

  • DLP Foundations: Stop Data Leaks
  • DLP Policies: Build, Manage & Extend
  • DLP: Precedence & Adaptive Protection
  • Endpoint DLP: Setup & Configuration
  • Endpoint DLP: Advanced Rules & Monitoring
  • Retention: Plan Your Data Lifecycle
  • Retention Labels: Publish & Auto-Apply
  • Retention: Policies, Precedence & Recovery

Domain 3: Manage Risks, Alerts, and Activities

  • Insider Risk: Foundations & Setup
  • Insider Risk: Policies & Indicators
  • Insider Risk: Investigate & Close Cases
  • Adaptive Protection: Risk Levels Meet DLP
  • Purview Audit: Investigate & Retain
  • Activity Explorer & Content Search
  • Alert Response: Purview, XDR & Cloud Apps
  • DSPM for AI: Setup & Controls
  • DSPM for AI: Policies & Monitoring
Domain 2: Implement DLP and Retention Premium ⏱ ~15 min read

DLP Policies: Build, Manage & Extend

Create DLP policies with conditions, actions, and exceptions. Extend DLP enforcement to third-party cloud apps by creating file policies in Microsoft Defender for Cloud Apps.

Building a DLP policy step by step

☕ Simple explanation

Think of DLP policies as security rules for a building.

Rule 1: “If someone carries a laptop bag out of the building after hours → stop them and check.” Rule 2: “If someone badges into the server room without clearance → block entry and alert security.”

Each rule has a condition (what triggers it) and an action (what happens). DLP policies work the same way — you define what sensitive data looks like (conditions using SITs and labels) and what to do when it’s detected (block, warn, audit).

This module also covers extending DLP to third-party cloud apps using Defender for Cloud Apps file policies — because your data does not stay only in Microsoft 365.

DLP policies in Microsoft Purview are created through a wizard that defines locations, rules (conditions + actions), user notifications, incident reports, and deployment mode. Each policy can contain multiple rules with different severity levels and actions. Policies can use pre-built templates (aligned to regulations like GDPR, HIPAA, PCI-DSS) or be fully customised.

For third-party cloud apps (Box, Google Drive, Dropbox, Salesforce), Defender for Cloud Apps extends DLP by allowing you to create file policies that reference your Purview DLP policies. When files in connected apps match DLP conditions, Defender for Cloud Apps can apply governance actions — quarantine, label, remove sharing, or notify the admin.

DLP policy creation wizard

StepWhat You Configure
1. Template or customStart from a regulatory template (GDPR, HIPAA, PCI-DSS, etc.) or a blank custom policy
2. Name and descriptionPolicy name visible to admins, plus a description of its purpose
3. LocationsWhich services to monitor — Exchange, SharePoint, OneDrive, Teams, endpoints, Power BI, third-party apps
4. RulesOne or more rules, each with conditions, actions, and exceptions
5. NotificationsPolicy tips for users, email notifications to admins, incident reports
6. Test or enforceStart in test mode (recommended) or enable enforcement immediately

Policy templates vs custom policies

Templates get you started fast; custom policies handle unique requirements
FeatureTemplate-based PoliciesCustom Policies
Starting pointPre-built rules for specific regulationsBlank — you define everything
ExamplesGDPR, HIPAA, PCI-DSS, Australia Privacy ActCustom account numbers, internal project codes, organisation-specific rules
SITs includedPre-configured for the regulationYou choose which SITs and labels to use
Customisable?Yes — edit after creationFully custom from the start
Best forQuick compliance with known regulationsOrganisation-specific data that no template covers

Conditions — what triggers a DLP rule

Each rule in a DLP policy defines conditions:

Condition TypeWhat It Detects
SIT matchContent contains a specific sensitive info type (e.g., credit card number)
Sensitivity labelContent has a specific sensitivity label applied
Instance countNumber of SIT matches (e.g., “5 or more credit card numbers”)
Confidence levelMinimum confidence for SIT detection (low, medium, high)
File extensionSpecific file types (.xlsx, .pdf, .zip)
Document propertyMetadata values on files
Shared withContent shared externally, with specific domains, or with “Anyone” links

Instance count thresholds

Instance counts help differentiate between a single mention (possibly legitimate) and bulk data exposure:

Instance CountTypical Use
1+Any occurrence — high sensitivity data like patient IDs
5+Bulk data indicators — multiple credit cards in one document
10+Large-scale exposure — likely a data export or dump

Actions and user notifications

ActionDescription
AuditLog the event in DLP reports without any user-visible action
Show policy tipDisplay a notification in the app explaining the policy
Block access / sharingPrevent external sharing or restrict access to the content
Block with overrideBlock but allow user to justify and proceed
EncryptApply encryption to email messages

User notifications and policy tips

DLP policy tips appear directly in the app where the user is working — in Outlook, Word, Teams, or the browser. They can include:

  • A custom message explaining why the action was flagged
  • A link to your organisation’s data handling policy
  • An option to override (if configured) with a justification
💡 Scenario: Dr. Liam configures DLP for patient data

Dr. Liam creates a DLP policy at St. Harbour Health:

Policy: “Protect Patient Health Information” Locations: Exchange, SharePoint, OneDrive, Teams, Endpoints

Rule 1 — Low volume (1-4 matches):

  • Condition: 1-4 patient health identifier SIT matches, medium confidence
  • Action: Warn with policy tip — “This content may contain patient information. Ensure sharing is appropriate.”
  • Notification: Log only

Rule 2 — High volume (5+ matches):

  • Condition: 5+ patient health identifier matches, high confidence
  • Action: Block external sharing, notify user and compliance team
  • Override: Block with override — require business justification

Rule 3 — Bulk export:

  • Condition: 50+ matches in a single item
  • Action: Hard block — no override. Alert incident response team immediately.

DLP in Defender for Cloud Apps

For data in third-party cloud apps, create file policies in Defender for Cloud Apps:

How it works

  1. Connect cloud apps — Defender for Cloud Apps connects to Box, Google Drive, Dropbox, Salesforce, etc.
  2. Create a file policy — define the condition (references your DLP SITs or content inspection)
  3. Select governance action — quarantine, apply label, remove sharing, notify admin

File policy options

SettingWhat It Does
Content inspectionScan files for SIT matches (uses the same SITs as Purview DLP)
Apply toSpecific apps, specific file types, or all connected apps
Governance actionsQuarantine file, remove external sharing, apply sensitivity label, notify owner
AlertGenerate an alert when the policy matches
💡 Scenario: Marcus extends DLP to Google Drive

NovaTech uses Google Drive for some client projects. Marcus creates a file policy in Defender for Cloud Apps:

  • Condition: Files in Google Drive containing source code (pre-trained classifier) or NovaTech project codes (custom SIT)
  • Action: Apply “Confidential — NovaTech IP” sensitivity label + remove external sharing links
  • Alert: Notify Marcus when more than 10 files match in a single day

Now NovaTech’s IP protection extends beyond M365 to Google Drive — with the same SITs and labels.

Question

What is the difference between a DLP policy template and a custom DLP policy?

Click or press Enter to reveal answer

Answer

Templates are pre-built for specific regulations (GDPR, HIPAA, PCI-DSS) with pre-configured SITs and rules — ideal for quick compliance. Custom policies are built from scratch with your own SITs, labels, and conditions — needed for organisation-specific data formats.

Click to flip back
Question

How do instance count thresholds help DLP policy design?

Click or press Enter to reveal answer

Answer

Instance counts differentiate severity. 1 credit card number in an email may be a legitimate transaction reference. 50+ credit card numbers likely indicates a data dump. Lower counts trigger warnings; higher counts trigger blocks. This reduces false positives for legitimate single-item sharing.

Click to flip back
Question

How does DLP extend to third-party cloud apps like Google Drive?

Click or press Enter to reveal answer

Answer

Through Microsoft Defender for Cloud Apps. You connect the cloud app, create a file policy with content inspection (using the same SITs as Purview DLP), and configure governance actions — quarantine, remove sharing, apply labels, or alert admins.

Click to flip back
Knowledge Check

Zara at Atlas Global needs DLP to protect employee personal data across M365 AND Google Drive (used by some regional offices). She already has DLP policies for Exchange and SharePoint. How should she extend protection to Google Drive?
Knowledge Check

Dr. Liam's DLP policy at St. Harbour Health is generating alerts for emails that contain a single patient identifier sent to known referral partners. These are legitimate clinical communications. How should he reduce these false positives without removing protection?

🎬 Video coming soon

Next up: DLP: Precedence & Adaptive Protection — understand how multiple DLP rules and policies interact, and how Insider Risk levels dynamically adjust DLP enforcement.

← Previous

DLP Foundations: Stop Data Leaks

Next →

DLP: Precedence & Adaptive Protection

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.